b'                                         NATIONAL SCIENCE FOUNDATION\n                                         OFFICE OF INSPECTOR GENERAL\n                                           OFFICE OF INVESTIGATIONS\n\n                                   CLOSEOUT MEMORANDUM\n\nCase Number: A08120067                                                              Page 1 of 1\n\n\n    We received an allegation that a proposal l submitted to NSF had been placed on the\n    internet. We verified an NSF Program Manager2 had uploaded the proposal to his\n    personal web page at his university. The accompanying report of investigation and\n    NSF\'s decision represent the closeout of this case.\n\n\n\n\n      1 (redacted)\n      2 (redacted). He was at NSF through the Intergovernmental Personnel Act from (redacted).\n\x0c-   ---~.-~\n\n\n\n\n         CONFIDENTIAL                         CONFIDENTIAL\n\n\n\n\n                    National Science\n                  ~   Foundation\n              Office of Inspector General\n\n\n\n\n                       Confidential\n                            J\n\n\n\n                  Report of Investigation\n                 Case NUll1ber A-08120067\n                        26 August 2009\n\n\n                                         NSF OIG Form 22b (11/06)\n\x0c                                                                                                       .         ;.   , j   t.\n                                REPORT OF INvESTIGATION\n                                      \xe2\x80\xa2   I.\n\n\n\n Please note this report contains confidential personal information,\' and it\'should\n be ~disclosed, only to individuals who must have-knowledge of\xc2\xb7its\xc2\xb7 contents \'to\n facilitate NSF\'s\' assessment and resolution of this matter.         Unauthorized\'\n disclosure may result III personal criminal liability under the Privacy Act,\n 5 U.S.C. \xc2\xa7 552a(i)(1);                     ,\n                                                                                 ,   ,\n                                                             ",\n                                     Su"mmary of Complaint\n                                                   ,                     <   t                 I   ~                               !\n\n\n\n In December 2008, we received a telephone call,asking abou;t.the confidentiality of.\n prorosals submitted to NSF; th.e caller,had found Whl:~.t appeared to be a recent NSf\n proposal on the internet through a Google search.\' The caller identified. the location\n of the proposal as ,being on the subject\'s .uniyersityweb p,age.!. We. assured .the\n cal~er it was not NSF\'s\'policy or practice to m~ke configential proposals publically\n available by placing them on internet web page\'s,. and we would look into ho\'Y t~e\n\'propos,al got there.                                       r:t  ~.\n                                                                                                                                 ., ,   .   .\n\n\n\n\n                                                   Investigation                                           \' ,\n We conducted a similar Google\' search and verified ,the\' proposal was - indeed\n publically available on the subject\'s personal university\' weh ,page (Appendix 1).2 ..\n We\' downloaded the p~oposal from\',the s~bje~t\'s web page (Appe~dix 2). We\' not\'ed\n the proposal was declined and thus would not have been available through a\n Freedom of Information Act request. We learned the\' s"~\'ojectis an IPA at NSF from\n the university.3 We verified through an eJacket \'request that -the subject had\n accessed the proposal. TheeJacKetdocumentation showed he had accessed the\n proposal\' at the end of May 2008,\' shortly after it\' was submitted. The eJ acket\n,documentatiori also shows another\xc2\xb7 Program Director,4 -rather than the subject, as\n the Program Director (PD) responsible for the review and recommendation.\nWe interviewed\' the subject (first providing an\'administrative" warning)5 to\ndetermine if he had violated NSF\'s policy in the handling of this proposal. We\'\nasked if he had attended the Program Management, Seminar; he responde.~\n                                                       f"\'   \'I,\'    \xe2\x80\xa2       (                                                    \'.    ,\n\n\n\n\n    1 (redacted).     ."                    .    ". \' \\ .   ",                     .\n    2 Although the proposal can be found through an internet search engine and is thus publicly\naccessible and downloadable, the subject did not create a link visible to casual viewers of his web\npage.\n    3 The subject is a Program Director in (redacted). The subject came to NSF from (redacted) via\nan Intergovernmental Personnel Act (IPA) award (redacted)~                 "                        ,.\n    4 (redacted).           _\'"   I\'           .             _\'...            t.).   " , ...\n\n\n    5 In order to proceed administratively; we \'presented the case to an Assistant U.S. Att~rney .\n(AU SA) for consideration of pfo\'secution. The AU sA deClined criminal prosecution allowing us to . l .\ngive the subject a Kalkines (administrative) warning, which is attached at Appendix 3.\n\x0caffirmatively. We asked if he was familiar with NSF\'s policy about keeping\nproposals confidential, especially declined proposals; he responded he knew not to\nrelease proposals. He further stated he has not released any proposals.\n We showed the subject the proposal on his web page and asked if he recognized it;\n he did. We asked if he had released or distributed this proposal, and he said no. He\n said he knew the PI and two co-PIs professionally and had funded some of their\n research. Also, he stated he was not aware of the proposal being on the internet,\n,nor on his university web page. We asked him who had access to the web page and\n permission to upload documents, and he said only he could have uploaded the\n proposal, since such actions were password protected.\nWe asked him why the proposal was on his web page, but he said he did not know\nhow it got there .. He said he had not told anyone about the location of this proposaL\nAlthough he could not explain why he had uploaded this proposal to his account, he\ncharacterized it as a "silly mistake". He asked how we found it, and we told him\nanyone could find it through a Google search; he noted search engines can find\nthings that shouldn\'t be found. He offered to delete the file, but we told him we\nwould either want to observe him doing\' so, or ask an Information Technology\nperson at his university to do so to determine if other NSF sensitive information\nwas there.\nWe asked the subject why he was accessing a proposal on which he was not the\nassigned PD. He said this was a Cyber-enabled Discovery and Innovation (CD I)\nproposal, which was a special kind of interdisciplinary proposal reviewed by a panel\ncomprised of PDs from different divisions and directorates. He added he was not\nthe head PD of the review panel, but was a moderator responsible for soliciting\nreviews from the external engineering community.\nWe asked the subject to check his records for any emails or other information that\nmay jog his memory as to why he uploaded a confidential proposal to his personal\nweb page. We also asked the subject to prepare an affidavit with his statement\nexplaining the events that led to him placing the proposal in his university web\npage (the subject\'s statement and our MOl are Appendix 4).\nAfter our interview, the subject found several emails he sent to two individuals6\nasking them for a, rapid review of the proposal as he was on a tight schedule\n(Appendix 5). These emails contained an internet link to the proposal saved on the\nsubject\'s web page. The subject stated he could not have sent the proposal via email\nas it was too large. 7 Based on the subject\'s additional information, we reviewed the\nForm 78 and noted neither of these individuals was listed on the Form 7 as having\n\n\n\n    6 (redacted).\n    7 The subject is mistaken about a proposal being too large to email. This proposal is 5.1 MB, well\nbelow the limit of email servers at NSF and at most universities and businesses.\n    8 NSF Form 7 is a programmatic record of potential reviewers and indicates who had access to a\nparticular proposal.\n\x0caccess to the proposal and having been ~- solicited for a review- of the proposal\n(Appendix 6). k \' , . f 1.\'.\nWe next interviewed the PD to whom tne proposal\' was"assigned (APDf9 \' He\ndescribed the structure of the\' CDI review panel. \' We\' asked if reviewers; were\' ,~\'.\ngenerally given access to the proposals without\'being listed on Form 7, and he said\'\nno, that would be unusual. We asked ,if he recalled anyone on the panel reque\'sting\nadditional reviews just before the panel met. He said no, but he, ,would check his\nemails to be sure. He further stated if a\'moderator, (i.e., the subject\'s role) wanted\nlast-minute reviews,\' s/he ,would. coordinate .with, the other. moderators before\ncontacting potential review~rs." He said any reviewers after the initial solicitation of\nreviewers would be. added to the Form 7. We asked APD if the/CDI panel used\nalternative methods for providing proposals to reviewers, for example a PD posting\nit to a personal web page.\' He, replied that would be a "terrible breach of\nconfidentiality".lo           <."     ,\'J,      ,.\',\'\n                                              \',"\'./    ~       ,"",_\n        ~   ,   ..   ~   I\'   l\'    ~         *;~    I"   .,                       , . , \xe2\x80\xa2             t   i   \',;           "\'::   .                       t\'   j\n\n\n\n\nWe subsequently interviewed one of the reviewers to whom the subject sent the\nproposa1.linkJl The\' reviewer. did not, im!llediately,;recall anything specific, but\nchecked his emails and found the subject\'s.request forrhis review., He remembered\nbeing asked by the subject to ,conduct the ,review quickly, and he had\'originally                                                                                    I,\n\n\nagreed to do so as a favor for Jthe subj~ct, but later, decided against .it, once he\ndiscovered a confliGt.He did not recall if he .requested the ~ubject send him a link. to\nthe proposal rather than an email or if that \'was the,supject\'s idea. He\'said he has\ndone\'many reviews, but alwayson Fas~L~ne,so thisprocedure was extraordinary.,\nHe said he did not circulate the;-proposal andJlas a note indicating,he deleted the\nproposal from his computer.\n                          ~        It         .. \'    ~,,l.;J                                                        f   ;              "        "   ,\',r\n\n\nWe interviewed the, subj\xe2\x82\xac1ct again\' to Jollow-upon his rationale for pursuing these\naddition~l reviews. ,When, we,\' informed him the CDI panel had\xc2\xb7 not requested\nadditional.,reviews and there was. no particular urgency requiring such unorthodox\nsolicitation" the subject said" he ind~pendently); solicited the reviews. He ;now ,\nremembered a pr~vious conversation with one of; the. co-PIs in ~hich. the co-PI\nrequested extra ,reviews to provide hiIl1 with additional feedback about the proposal.\nThe subject . offered : ~o apologize. to, the PI and co-PIs, or, to, whomever ,it, was\nappropriate for him to apologize. Aft~r the question and answer portion of the\ninterview, we asked the subject to log into his university account while we watched,\nso we could see if addition:al confidentialpr~po~als were\'present; there we~e hone in""\neither his public or personal folders. We looked at the \'dates on which ,the two\nfolders were; last acces\'sed and noted\' neither had \'been accessed since our" last\ninterview. We asked him to delete the proposal;,which he did:               \'\n                 .             }*J\'~\',                ~+       , t \' t \xe2\x80\xa2.   t; .         .\\j:~                 "\\\'~                         \xe2\x80\xa2\xe2\x80\xa2\n\n\n\n\n                                                                .~      .                    ,\'"   !\n                                   1\'-   ".\n   9 (redacted).           \\" \'                "\n   10 See attached MOl at Appendix 7.\'      < \'     . \'\n   11 (redacted) did not respond to our request for~forrr;,ation.\n\x0c                                   Relevant NSF Policies\nNSF\'s Proposal and Award Manual (PAM) Chapter Xp2-Information Collection,\nRelease and Dissemination-section A.I defines an unfunded- proposal as sensitive\ninformation protected by the Privacy Act. More specifically, PAM XI section F.6-\nPending, Withdrawn, or Declined Grant Proposals states:\n        With few exceptions, NSF will not release any information on declined,\n        pending, returned without review or withdrawn proposals to anyone\n        but the submitting PI(s) or Authorized Organizational Representative.\n        Copies of unfunded grant proposals should not be released to anyone\n        (except reviewers as part of the review process) without the specific\n        written agreement ,of the submitting PI(s) or Authorized\n        Organizational Representative, or the approval of the FOIA Officer.\nNSF\'s Bulletin 08-10-NSF Policy Regarding the Privacy of Sensitive Information,13\nand particularly the Office of General Counsel\'s (OGC\'s) Legal Advisory appendix-\nThe Privacy Act\'s Application to Proposal Jackets-describes the importance of\nmaintaining accurate information on who has access as well as ensuring the\nconfidentiality of NSF\'s proposals and the approved methods for disclosure of\nproposals. It also states: "With a few narrow exceptions, NSF never gives out\ninformation on declined or pending proposals to anyone but the PIs and applicant\ninstitutions who submitted them."         With regard to electronic storage and\ntransmission, it states: "Personnel should use caution when storing electronic files\non public drives or allowing \'shared\' access to personal hard drives or when storing\nor transporting information in electronic form ...." Interestingly, OGC notes:\n        A reviewer\'s identity can be withheld from the PI only if the reviewer\n        was given an express promise of confidentiality. The request for review\n        (PAM, Section V. Merit, Review, -C.2. "Information for Reviewers,\n        Identifying    Reviewers\'     Conflicts-of-Interest and    Maintaining\n        Confidentiality), the FastLane review module, and Form 1230P (for\n        review panel members) contain an express promise of confidentiality to\n        reviewers. The identities of those who receive no promise (for example,\n        persons who submit unsolicited comments) cannot be withheld from\n        the PI who makes a proper Privacy Act request.\nRegarding the subject\'s failure to use NSF Form 7, the PAM, sec. VLB.4.d 14 notes\n"In the \'case of non-FastLane submitted reviews, program staff are responsible for\nupdating the Review Record and for accurately recording the scores submitted by\nthe reviewers."       This requirement is reinforced through the Required\nDocumentation Matrix showing Form 7 is required for merit reviewed proposals.l 5\n\n\n   12 http://www.inside.nsf.gov/pubs/pam/pam0409111.htm. viewed July 20,2009.\n   13 http://infoshare.nsf.gov//showFile/2827/ib081O.pdf, viewed July 20,2009.\n   14 http://www.inside.nsf.gov/pubs/pam/pam0409/6.htm#VIB4.\n   15 http://www.inside.nsf.gov/pubs/pam/pam0409/6.htm#ex6 1.\n\x0c                                           Conclusions\nBased on the evidence developed during our investigation, we conclude the subject\nviolated several NSF policies and practices when he posted a confidential proposal\non his personal web page of his university account. As noted above, the P AlVI\ndefines the proposal as one of the many pieces of sensitive information a PD handles\nin the course of his or her duties. The applicable policies make clear that pending\nproposals must be safeguarded and protected from unauthorized disclosure.\nAggravating the matter is the fact that this proposal would not have been, and is\nnot, available through a Freedom of Information Act (FOIA) request, and the\nsubject did not delete it after the panel; it remained on his web page accessible to\nthe public through search engines even after it was declined.\nThe subject also deviated from NSF\'s policy and practice when he decided not to\ninclude the two additional reviewers on the Form 7. On the topic of tracking\nreviewers who have electronic access, Bulletin 08-10 notes "User profiles, which\ndefine who has access to a system, should be kept current to ensure appropriate\naccess control." It is. important for NSF to have an accurate system of records16\nbecause NSF releases names of reviewers by NSF division. and at the Federal\nAdvisory Committee Act (FACA) chartered committee/panellevel as reported in the\nNSF Annual FACA Report to the General Services Administration. Furthermore, it\nis important to know who has access to a proposal in the event of an unauthorized\nrelease or an allegation of plagiarism. Aggravating this omission of reviewers on\nthe Form 7, we reemphasize OGC\'s admonition and point out that because the\nsubject did not follow NSF policy by soliciting the two additional reviewers through\nFastLane, they did not receive an express promise of confidentiality. Thus, if the PI\nsubmits a Privacy Act request, NSF may not be able to withhold the identity of\nthose individuals.\nTherefore, we conclude the subject\'s posting ofa pending (then declined) proposal on\nhis university web page represents a violation of NSF policy and is an unauthorized\ndisclosure of sensitive information, which NSF stresses is to be kept confidentiaL .\nWe conclude the subject\'s solicitation of reviewers via email and not through\nFastLane represents a violation of NSF policy.\n                                        Recommendations\nBased on the conclusions outlined above, we recommend NSF proceed with\nadministrative actions that are appropriate and consistent with previous similar\nincidents.\n\n\n\n\n    16 The "Review\'erlProposal File and Associated Records" system is a subsystem of the "Principal\nInvestigatorlProposal File and Associated Records" system (NSF-50), and contains the reviewer\'s\n name, title ofproposal(s) reviewed and identifying number, and other related material. 44 U.S.C.\n 3101; 42 U.S.C. 1870.\n\x0c-----....--.--- ..._;,\';.--\n                              ..\n                                                              "\n\n\n\n                                                              J\n\n                                                                  NATIONAL SCIENCE FOUNDATION\n                                                                     4201 WILSON BOULEVARD\n                                                                    ARLINGTON, VIRGINIA 22230\n\n\n\n\n                                   September 11, 2009\n\n\n\n\n                                   Dear Dr.:\n\n                                   This letter is to infonn you of your failure to:\n\n                                   (1) follow NSF procedure for making unfunded proposals available to external reviewers,\n                                   thus making the .proposal potentially available to unauthorized persons, and\n\n                                   (2) follow NSF procedure for recording external reviewers.\n\n                                   Although these actions were unintentional, I want to emphasi~e the imp011ance of\n                                   confidentiality and accurate record keeping in the NSF review process.\n\n                                   If you should seek employment with NSF in the future, you mu\'st comply fully with NSF\n                                   policies and procedures. Feel free to contact me at (703) 292-    if~ou have any\n                                   questions,\n\n                                   Sincerely,\n\n\n\n\n                                                   FOundation\n                                   4201 Wilson Blvd,\n                                   Arlington, VA 2230\n\x0c'